Blazor Security - Razor Pages custom authentication/security

Question

I'm trying to build a Blazor application that is hosted on the server and the starting point is inside a razor page. Something like that:

<component type="typeof(Main)" render-mode="ServerPrerendered" param-Data="@simple"/>

My questions are:

• What happens if the razor page has an Authorized Attribute, is all blazor code than correctly secured with the authentication ?
• Is it impossible to call the blazor app without the razor page circuit id ?

• What if my razor page does have a custom authentication based on database values inside the OnGetAsync method - do I need to redo some of that stuff inside blazor or does the stateful component only gets rendered when the razor page works ?

• What happens if I have an arbitrary if/else block that would have a button call, would that button call be guarded by the state ?

Something along the lines:

@if (HasPermission)
{
   <button type="button" onclick="MutateDatabase">MutateDatabase</button>
}

Answer 1

I assume you run Blazor Server (At the time of writing WASM is still in preview and will be quite different security-wise).

The documentataion states that Blazor does indeed integrate with ASP.NET Core identity:

Blazor Server apps include a built-in AuthenticationStateProvider service that obtains authentication state data from ASP.NET Core's HttpContext.User. This is how authentication state integrates with existing ASP.NET Core server-side authentication mechanisms.

Now, to your questions:

1. Given your rendering mode, for Blazor to kick in, the Razor page has to render an initial state and mark the element where Blazor is to manage the view later on. The way AuthorizeAttribute works (I presume this is what you meant?) will block the page from rendering, so this should prevent Blazor from starting altogether - you will get redirected away to authenticate. Once your users are past that gate though - be aware that Blazor handles [Authorize] on child controls differently:

   Only use [Authorize] on @page components reached via the Blazor Router. Authorization is only performed as an aspect of routing and not for child components rendered within a page. To authorize the display of specific parts within a page, use AuthorizeView instead.

   (this doesn't seem to be your case, but I'd put it here just in case)

2. I'm not entirely sure if I understand the statement here: circuit is the term MS uses to identify the slice of server where your application instance lives while it's displayed to a client. The connection is maintained via websockets and is generally scoped to a session (check out cookies and url parameters to your /_blazor endpoint). The user is however not guaranteed to have same circuit throughout application lifetime (due to connection issues or server load-balancer config) - and it is fine, you are expected to handle state persistance across circuits yourself.

3. This case I believe will be the same as (1): you don't get Blazor to start until hosting Razor view is rendered.

4. It's probably best to follow Blazor's security management page: you have a couple of options to ensure you're catering for authenticated users:

   1. Use <AuthorizeView> to control what gets rendered:

   <AuthorizeView>
   <Authorized>
       <button type="button" onclick="MutateDatabase">MutateDatabase</button>
   </Authorized>
   <NotAuthorized>
       <p>You're not signed in.</p>
   </NotAuthorized>
   </AuthorizeView>
   

   You can technically use an if (user.IsInRole()) statement, but that might not get updated when User AuthenticationState changes.

   If this is not sufficient, you can either pick up cascading AuthenticationState parameter or look at implementing your own AuthenticationStateProvider